Geraldo Alcântara

**Nome do software vulnerável e versões afetadas** Sistema de Suporte ao Cliente versão 1.0 **Descrição** A vulnerabilidade permite que um invasor remoto obtenha privilégios elevados por meio de um script malicioso que utilize parâmetros como `firstname`, `lastname`, `middlename`, `contact` e `address`. **Recomendações** Para o Sistema de Suporte ao Cliente versão 1.0, considere desativar o uso dos parâmetros `firstname`, `lastname`, `middlename`, `contact` e `address` em scripts até que uma correção esteja disponível. Restrinja o acesso a áreas confidenciais do sistema para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Sistema de Gestão de Taxas Escolares versão 1.0 **Descrição** Uma vulnerabilidade de Cross Site Scripting (XSS) permite que um invasor remoto execute código arbitrário por meio de uma carga maliciosa direcionada ao componente `main settings` nos parâmetros `phone`, `address`, `bank`, `acc name`, `acc number`, `new class` e `cname`, função `add new parent` nos parâmetros `name` e `email`, função `new term` no parâmetro `tname` e função `edit student` no parâmetro `name`. **Recomendações** Como solução temporária, considere desativar o componente `main settings` e as funções `add new parent`, `new term` e `edit student` até que uma correção esteja disponível. Restrinja o acesso aos parâmetros vulneráveis `phone`, `address`, `bank`, `acc name`, `acc number`, `name`, `email`, `cname` e `tname` para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Simple Student Attendance System versão 1.0 **Descrição** A vulnerabilidade permite que um invasor remoto execute código arbitrário por meio de uma carga maliciosa direcionada ao parâmetro `id` nas páginas “student form.php” e “class form.php”. Isso permite que o invasor injete código SQL malicioso, o que pode levar a acesso não autorizado ou manipulação de dados. **Recomendações** Para o Simple Student Attendance System versão 1.0, considere desativar o parâmetro `id` nas páginas afetadas até que uma correção esteja disponível. Restrinja o acesso às páginas “student form.php” e “class form.php” para minimizar o risco de exploração. Evite usar o parâmetro `id` nessas páginas até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Simple Student Attendance System versão 1.0 **Descrição** Uma vulnerabilidade de Cross Site Scripting (XSS) permite que um invasor remoto execute código arbitrário por meio de uma carga maliciosa direcionada aos parâmetros `page` ou `class month` no componente “/php-attendance/attendance report”. Isso permite que o invasor realize ações não autorizadas no sistema. **Recomendações** Para o Simple Student Attendance System versão 1.0, como solução temporária, considere desativar o acesso ao componente “/php-attendance/attendance report” até que um patch esteja disponível. Restrinja a entrada nos parâmetros `page` e `class month` para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Customer Support System version 1.0 **Description** The issue concerns multiple SQL injection vulnerabilities in the /customer support/ajax.php?action=save ticket endpoint via `department id`, `customer id`, and `subject`. This allows for potential exploitation. **Recommendations** For version 1.0, consider disabling the `/customer support/ajax.php?action=save ticket` endpoint until a patch is available. Restrict access to the `department id`, `customer id`, and `subject` parameters in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `email` parameter at the "/customer support/ajax.php" API endpoint. **Recommendations** For Customer Support System version v1, consider restricting access to the "/customer support/ajax.php" endpoint until a patch is available. As a temporary workaround, avoid using the `email` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `username` parameter at the "/customer support/ajax.php?action=login" API endpoint. **Recommendations** For Customer Support System version v1, consider disabling the login functionality at the "/customer support/ajax.php?action=login" endpoint until a patch is available. Restrict access to the `username` parameter in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `lastname` parameter at the "/customer support/ajax.php?action=save user" API endpoint. **Recommendations** For Customer Support System version v1, consider restricting access to the `/customer support/ajax.php?action=save user` API endpoint until a patch is available. As a temporary workaround, avoid using the `lastname` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/customer support/manage department.php" API endpoint. **Recommendations** For Customer Support System version v1, consider restricting access to the "/customer support/manage department.php" endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/customer support/index.php?page=edit customer" API endpoint. **Recommendations** For Customer Support System version v1, consider restricting access to the "/customer support/index.php?page=edit customer" endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `subject` parameter at the "/customer support/ajax.php?action=save ticket" API endpoint. **Recommendations** For Customer Support System version v1, consider restricting access to the "/customer support/ajax.php?action=save ticket" API endpoint until a patch is available. As a temporary workaround, avoid using the `subject` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `firstname` parameter at "/customer support/index.php?page=customer list". **Recommendations** For Customer Support System version v1, as a temporary workaround, consider restricting access to the `/customer support/index.php?page=customer list` endpoint until a patch is available. Avoid using the `firstname` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `email` parameter at "/customer support/index.php?page=customer list". This enables attackers to potentially steal user data or take control of user sessions. **Recommendations** For Customer Support System version v1, as a temporary workaround, consider restricting access to the "/customer support/index.php?page=customer list" endpoint until a patch is available. Avoid using the `email` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `contact` parameter at "/customer support/index.php?page=customer list". **Recommendations** For Customer Support System version v1, as a temporary workaround, consider restricting access to the "/customer support/index.php?page=customer list" endpoint until a patch is available. Avoid using the `contact` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `subject` parameter at "/customer support/index.php?page=new ticket". **Recommendations** For Customer Support System version v1, as a temporary workaround, consider restricting access to the "/customer support/index.php?page=new ticket" endpoint until a patch is available. Avoid using the `subject` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `address` parameter at "/customer support/index.php?page=new customer". **Recommendations** For Customer Support System version v1, consider restricting access to the "/customer support/index.php?page=new customer" endpoint until a patch is available. As a temporary workaround, avoid using the `address` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Book Store Management System version 1.0 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `category` parameter in the "/bsms ci/index.php/category" API endpoint. This enables the execution of malicious code on the client-side. **Recommendations** For Book Store Management System version 1.0, as a temporary workaround, consider restricting access to the "/bsms ci/index.php/category" API endpoint to minimize the risk of exploitation. Avoid using the `category` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Customer Support System version v1 **Description** A directory listing issue allows attackers to list directories and sensitive files within the application without requiring authorization. **Recommendations** For Customer Support System version v1, consider restricting access to sensitive directories and files to minimize the risk of exploitation. As a temporary workaround, review and adjust the application's authorization settings to ensure proper access controls are in place.

**Name of the Vulnerable Software and Affected Versions** Best Student Result Management System version 1.0 **Description** A directory listing issue allows attackers to list directories and sensitive files within the application without requiring authorization. **Recommendations** For Best Student Result Management System version 1.0, restrict access to sensitive directories and files to prevent unauthorized listing. Consider implementing proper access controls to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** School Fees Management System version 1.0 **Description** A directory listing issue allows attackers to list directories and sensitive files within the application without requiring authorization. **Recommendations** For School Fees Management System version 1.0, consider restricting access to sensitive directories and files to minimize the risk of exploitation. As a temporary workaround, review and adjust the application's configuration to require proper authorization for directory listings.